Integrating NG SAST into the GitHub Pull Request Workflow

This article will show you how to integrate ShiftLeft CORE's NG SAST into your GitHub Pull Request (PR) workflow for automated code analysis using GitHub Actions.

Prerequisites

This article assumes that you have an existing GitHub repository to which you would like to add NG SAST for automated code analysis.

Step 1: Create Your Secrets

GitHub's secrets are encrypted environment variables that protect information while making them available for use in GitHub Actions workflows. They are specific to your GitHub repository.

To create secrets, which are specific to your GitHub repository, go to Settings > Secrets. Click New Secret. You will need to create a secret called SHIFTLEFT_ACCESS_TOKEN to store your ShiftLeft CI config token.

GitHub Secrets

If you are adding NG SAST functionality to multiple repos, you may want to create encrypted secrets for an organization. This allows you to create secrets once for use across multiple repos.

You can create your CI token in the ShiftLeft Dashboard.

Step 2: Create Your GitHub Action and Define Its Workflow

GitHub Actions offers you workflow automation functionality. You can use this to automatically run NG SAST (e.g., when you create a new Pull Request).

To create a new GitHub Action for your repository, click Actions. If this is your first time setting up a GitHub Action, click set up a workflow yourself near the top-left; otherwise click New workflow, then select set up a workflow yourself.

GitHub Actions starter workflows

You will be redirected to a YAML editing window. Rename the file (if desired), and provide the following script to invoke NG SAST.

# This workflow integrates ShiftLeft NG SAST with GitHub
# Visit https://docs.shiftleft.io for help
name: ShiftLeft
on:
pull_request:
workflow_dispatch:
push:
# We recommend triggering a scan when merging to your default branch as a best practice,
# especially if you'd like to compare the results of two scans (e.g., a feature branch against the
# default branch)
branches:
- main
- master
jobs:
NextGen-Static-Analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download ShiftLeft CLI
run: |
curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
# ShiftLeft requires Java 1.8. Post the package step override the version
- name: Setup Java JDK
uses: actions/setup-java@v1.4.3
with:
java-version: 1.8
- name: NextGen Static Analysis
run: ${GITHUB_WORKSPACE}/sl analyze --app ShiftLeftJS --tag branch=${{ github.head_ref }} --js --cpg $(pwd)
env:
SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GitHub Actions Configuration

When done, click Start commit and follow the prompts to commit the file to your repo.

Commit configuration

When done, you'll see your newly configured workflow listed under the repository's Actions.

GitHub Actions

Step 3: Test Your Workflow

At this point, you're done with the configuration steps. You can check to see whether you successfully set up the GitHub Action by triggering the workflow (e.g., by creating a Pull Request).

New PR

You can click Status for additional details about the workflow's progress:

Workflow Progress

When done, you can see a summary of NG SAST's results on the PR:

Completed Check

You can get full details regarding the analysis at any time from the ShiftLeft Dashboard.